Tage writes:
>I have a server using advanced security to authenticate users from an odbc
>user directory. That works just fine for protecting the CF parts of my web
>with an IsAuthenticated() in the application.cfm file. Now, my problem is
>that I have some other files - a bunch of zips that I want to be protected
>as well....<snip>
I'm working on a similar project. Since Cold Fusion won't protect documents
without a .cfm extension, the trick is to move the files outside the
webserver and then enable access to those files THROUGH a .cfm template
using <cfcontent> or <cfheader>. I've included my example code for such a
page below.
Be very careful to limit the scope of the documents that can be accessed
this way, as it can potentially open up big read-holes on the server
machine.
Hope it helps :)
Charlie Arnold
Application Developer / Data Templar
Weberize
www.weberize.com
___________________________________________________________________
<!--- This method checks to see if the user is logged in and redirects them
to the
login page if not. I'm using this rather than application.cfm for
efficiency...we
employ a heavily modular style of coding and I don't want to check login
status
unecessarily. --->
<cfinclude template="../mod/mod_IsLoggedIn.cfm">
<!--- Is the user authorized to view the file requested same as above, the
user is
redirected via <cflocation> if she's not authorized. --->
<cfinclude template="../mod/mod_IsAuthorized.cfm">
<!--- Create a struct and populate it with keys equal to the possible file
extensions
your user might be after and values appropriate for the file type to be
specified in the
<cfcontent> tag. I'm using struct lookup here as it's faster than looping
through an
array. --->
<cfset structType = StructNew()>
<cfset structType["doc"] = "application/msword">
<cfset structType["pdf"] = "application/pdf">
<cfset structType["htm"] = "text/html">
<cfset structType["cfm"] = "text/html">
<cfset sDocType = right(url.docpath, 3)>
<!--- If the extension of the requested document exists as a key in the
structure, run
<cfcontent> on the document with the value of the key in the 'type'
parameter, otherwise
redirect with <cflocation> --->
<cfif structKeyExists(structType, sDocType)>
<cfcontent file="e:\#url.docpath#" type=#structType["#sDocType#"]#
deletefile="no">
<cfelse>
<cflocation url="../../index.cfm?error=1">
</cfif>
-----Original Message-----
From: Tage Widsell [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, October 10, 2000 12:20 PM
To: CF-Talk
Subject: Security dilemma
Hi,
First of all - i'm not a server admin or security expert, so here we go:
I have a server using advanced security to authenticate users from an odbc
user directory. That works just fine for protecting the CF parts of my web
with an IsAuthenticated() in the application.cfm file. Now, my problem is
that I have some other files - a bunch of zips that I want to be protected
as well. If someone knew the URL (www.mydomain.com/protected/thefile.zip)
they could just bypass my beloved security and download it. Is there anyway
to set up security in CouldFusion ot restrict any access or does it work
only on coldfusion templates?
This site is on a NT4/CF Pro 4.0.1. I don't have much experience with NT. I
guess what I'm looking for is something like .htaccess on unix.
Any ideas are appreciated.
Regards
Tage Widsell
Webmaster
Propellerhead Software
----------------------------------------------------------------------------
--
Archives: http://www.mail-archive.com/[email protected]/
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or
send a message to [EMAIL PROTECTED] with 'unsubscribe' in
the body.
------------------------------------------------------------------------------
Archives: http://www.mail-archive.com/[email protected]/
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
